The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6.

Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.

Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.

Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.0.

Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24.

Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.

Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.